1

I have been trying this since last week but no luck so far. Trying to enable SSO using the weblogic12c on windows and AD (using LDAP)

1) Created a brand new user , enabled AES 128 for him 2) Executed the following commands on AD

setspn -S HTTP/APPDEV2004.domain.com http_weblogic_test

verified the output using the command setspn -l http_weblogic_test the output is HTTP/APPDEV2004.domain.com HTTP/APPDEV2004

ktpass /out c:\http_weblogic_test.keytab /mapuser http_weblogic_test /princ HTTP/APPDEV2004.domain.com@DOMAIN.COM /pass /ptype KRB5_NT_PRINCIPAL /crypto All

Now when using the Kinit to verify that the Kerberos ticket is getting generated correctly, It always fails with the exception java -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=c:\windows\krb5.ini sun.security.krb5.internal.tools.Kinit -k -t C:\opt\http_weblogic_test.keytab

Exception: krb_error 24 Pre-authentication information was invalid (24) Pre- 
authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
    at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
    at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
    at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
    at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
    ... 4 more

However it works perfectly fine when I supply the password from the commandline instead of using the keytab file java -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=c:\windows\krb5.ini sun.security.krb5.internal.tools.Kinit

KinitOptions cache name is D:\Users\ayadav\krb5cc_ayadav KinitOptions principal name from the cache is :http_weblogic_test@DOAMIN.COM

Principal is http_weblogic_test@DOMAIN.COM Password for http_weblogic_test@DOMAIN.COM: After entering the passowrd it goes through a series of steps and finally says New ticket is stored in cache file D:\Users\ayadav\krb5cc_ayadav, which I assume is a sign of successful ticket generation, however I am struggling to utilize the keytab file but need to get rid of the Pre-authentication information was invalid (24).

Update I also used the KTab commmand to generate the keytab file and use that however I am still getting the exception.

java sun.security.krb5.internal.tools.Ktab
-a http_weblogic_test@DOMAIN.COM <password> 
-k c:\opt\http_weblogic_test_new.keytab

java sun.security.krb5.internal.tools.Ktab
-a APPDEV2004.domain.com@DOMAIN.COM <password> 
-k  c:\http_weblogic_test_new_ktab.keytab

Updates - I am able to get the Kinit run successfully after updating the principal name inside krb5Login.conf to principal="HTTP/APPDEV2004.domain.com"

After deploying a test application to weblogic I can see the Kinit running to generate the TGT successfully

Response Excerpt 

principal is HTTP/APPDEV2004.oriental.com@ORIENTAL.COM
Will use keytab
Commit Succeeded 

Found KeyTab http_weblogic_test.keytab for 
HTTP/APPDEV2004.domain.com@DOMAIN.COM
Found ticket for HTTP/APPDEV2004.domain.com@DOMAIN.COM to go to 
krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 02 03:37:28 CDT 2018

I am using the following properties for the web.xml in the application 

<security-constraint>
    <display-name>AdminAccess</display-name>
    <web-resource-collection>
        <web-resource-name>AllAdminOperations</web-resource-name>
        <description/>
        <url-pattern>/faces/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Admin Only Access</description>
        <role-name>Admin</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description>Secured Login</description>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<security-constraint>
    <display-name>validUser</display-name>
    <web-resource-collection>
        <web-resource-name>application</web-resource-name>
        <description/>
        <url-pattern>/faces/home/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Only Registered user can access this</description>
        <role-name>Basic</role-name>
        <role-name>Admin</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>Basic</auth-method>
    <realm-name>**myrealm**</realm-name>
</login-config>
<security-role>
    <description>Deputy User</description>
    <role-name>Deputy</role-name>
</security-role>
<security-role>
    <description>AdminUser</description>
    <role-name>Admin</role-name>
</security-role>

and my weblogic.xml has 
<security-role-assignment>
  <role-name>Admin</role-name>
  <principal-name>Admin</principal-name>
</security-role-assignment>
<security-role-assignment>
 <role-name>Deputy</role-name>
 <principal-name>Deputy</principal-name>
</security-role-assignment>

I have configures the myrealm in the weblogic server with an ActiveDirectoryProvider (marked as SUFFICIENT) and NegotiateIndentityProviderAsserter (Form based Negotiation is marked disabled) However It is still showing the Basic Auth Dialog, and not signing me in.

Update - In the weblogic server debug logs I can see the following exception

<> <a71b8914-e309-4c08-97a5-2dcba34ea5be-00000044> <1525358738449> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:396)
at com.bea.security.utils.kerberos.KerberosTokenHandler.handleInitTokenForMultiKDC(KerberosTokenHandler.java:270)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$100(KerberosTokenHandler.java:46)
at com.bea.security.utils.kerberos.KerberosTokenHandler$2.run(KerberosTokenHandler.java:215)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:213)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:141)
at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:217)
at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.java:124)
at com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionTokenServiceImpl.java:122)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy56.assertChallengeIdentity(Unknown Source)
at com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionServiceImpl.java:114)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy62.assertChallengeIdentity(Unknown Source)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl$NegotiateHandler.assertChallengeContext(NegotiateIdentityAsserterServiceImpl.java:328)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl$NegotiateHandler.process(NegotiateIdentityAsserterServiceImpl.java:213)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl.process(NegotiateIdentityAsserterServiceImpl.java:132)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy63.process(Unknown Source)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterServletAuthenticationFilter.doFilter(NegotiateIdentityAsserterServletAuthenticationFilter.java:37)
at weblogic.servlet.security.internal.AuthFilterChain.doFilter(AuthFilterChain.java:34)
at weblogic.servlet.security.internal.WebAppSecurity$ServletAuthenticationFilterAction.run(WebAppSecurity.java:1106)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326)
at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197)
at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71)
at weblogic.servlet.security.internal.WebAppSecurity.invokeAuthFilterChain(WebAppSecurity.java:963)
at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:99)
at weblogic.servlet.security.internal.SecurityModule.checkAccess(SecurityModule.java:159)
at weblogic.servlet.security.internal.SecurityModule.isAuthorized(SecurityModule.java:720)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:585)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:545)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2379)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2281)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2259)
at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1691)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1651)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:270)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:348)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:333)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:54)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:640)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:406)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:346)
Caused By: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:310)
at com.bea.security.utils.kerberos.KerberosTokenHandler.handleInitTokenForMultiKDC(KerberosTokenHandler.java:270)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$100(KerberosTokenHandler.java:46)
at com.bea.security.utils.kerberos.KerberosTokenHandler$2.run(KerberosTokenHandler.java:215)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:213)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:141)
at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:217)
at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.java:124)
at com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionTokenServiceImpl.java:122)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy56.assertChallengeIdentity(Unknown Source)
at com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionServiceImpl.java:114)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy62.assertChallengeIdentity(Unknown Source)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl$NegotiateHandler.assertChallengeContext(NegotiateIdentityAsserterServiceImpl.java:328)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl$NegotiateHandler.process(NegotiateIdentityAsserterServiceImpl.java:213)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl.process(NegotiateIdentityAsserterServiceImpl.java:132)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy63.process(Unknown Source)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterServletAuthenticationFilter.doFilter(NegotiateIdentityAsserterServletAuthenticationFilter.java:37)
at weblogic.servlet.security.internal.AuthFilterChain.doFilter(AuthFilterChain.java:34)
at weblogic.servlet.security.internal.WebAppSecurity$ServletAuthenticationFilterAction.run(WebAppSecurity.java:1106)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326)
at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197)
at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71)
at weblogic.servlet.security.internal.WebAppSecurity.invokeAuthFilterChain(WebAppSecurity.java:963)
at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:99)
at weblogic.servlet.security.internal.SecurityModule.checkAccess(SecurityModule.java:159)
at weblogic.servlet.security.internal.SecurityModule.isAuthorized(SecurityModule.java:720)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:585)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:545)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2379)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2281)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2259)
at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1691)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1651)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:270)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:348)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:333)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:54)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:640)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:406)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:346)
Abhishek Yadav
  • 35
  • 1
  • 9
  • 1
    The Active Directory account must be cleared of the SPN you are planning to use before you create keytab using that same SPN. This is a little-known issue. Clear the Active Directory account of the SPN HTTP/APPDEV2004.domain.com, then check the account is clear of it with a *setspn -L*, then re-generate the keytab again and it should work but make sure that when you create the keytab the /mapuser parameter is *http_weblogic_test@DOMAIN.COM* and not just *http_weblogic_test*. See https://social.technet.microsoft.com/wiki/contents/articles/36470.kerberos-keytabs-explained.aspx for an example. – T-Heron May 01 '18 at 22:20
  • Thanks T-Heron, Could you help with the configuration here. – Abhishek Yadav May 02 '18 at 13:45
  • Is there something in particular that I should elaborate on, if my comment was confusing please let me know on what specifically you need more detail. – T-Heron May 02 '18 at 14:00
  • When I am hitting the application that I have deployed to the weblogic server , I am able to see the execution logs Similar to the KInit, however instead of automatically logging me in , It is still showing the Basic Auth dialog of the browser asking me to key in the credentials. – Abhishek Yadav May 02 '18 at 16:40
  • Strangely the issue was related to the client and server being on the same physical machine, when I hit the server url from a different machine available on the same domain, It was giving proper response, however I am not sure on the reason. – Abhishek Yadav May 14 '18 at 20:41

0 Answers0